In this field, well-known is that personal computer is used to provide various data handling utilities.This personal computer generally includes the various input and output devices that are connected to a processor, and has preserved an operating system in the storer of this personal computer.This system comprises the program of a Power-On Self-Test (POST), when this computing machine is opened for the first time, this Power-On Self-Test program carry out work confirm to be connected to processor various input and output devices existence and confirm its condition of work.During POST, some specific memory device block of address space is scanned existing (as well-known in this field with one (perhaps a plurality of) sign indicating number that confirms to be called an adapter ROM, other memory technology, for example flash memory also can be used to substitute ROM), adapter ROM is used to connect specific peripheral apparatus, and sets up suitable starting condition for these peripheral apparatus.If found such adapter ROM in this memory address space, this adapter ROM carries out initialization routine and configuration routine then, this be so-called process of " ROM scanning ".In ROM scan period, the responsive memory area (preservation configuration information) in can access computer is to preserve the data as the ROM scanning result.Because these memory areas also relate to the problem of the secure context of personal computer, so control user input also is very important, to avoid inappropriate action, be designed in the interior security feature of PC operating system (and Power-On Self-Test program) with destruction.
ROM scanning patent is pointed out, during ROM scanning process and common POST, it is more desirable that the user who avoids people's computing machine one by one imports from a keyboard or other input equipment (for example mouse), and this can be by during the ROM scan operation or more generally pin keyboard during POST and other input equipment is realized.
But, during ROM scan period and initialization foundation, have some ROM adapters to encourage and need a user import, and the function that is provided in ROM scanning patent also will hinder such input.So, system in the existing field has the security that prevents the user and import (scan in patent provide as ROM) in ROM scan period, but forbid needed user's input type in some ROM adapter, perhaps allow the user to import in ROM scan period, but do not provide the safety issue that prevents improper user's input and produce, during the ROM scanning process, inappropriate user's input may destroy the safety issue in the configuration information.So the system in the existing field has worthless restriction and disadvantageous aspect.
By being provided at a system that can optionally allow the user to import during the ROM scanning process, the present invention has overcome the restriction and the disadvantageous aspect of the system in the existing field.Use this method, avoid the protection of the ROM scanning patent that the user imports normally effective, but carry out user's input or must carry out to allow to carry out such input in the situation of user's input in those hope.
Use this method, at ROM scan period, input equipment, for example keyboard is normally blocked, but imports and this user when also having the right to carry out such input when wishing to carry out such one, just can allow to import.Because be stored in some the ROM adapter code in the storer or between the starting period, need user's input, perhaps wish to allow this user's input, be desirable so when needs, can allow this user's input.The mandate that it is changed can be limited in those philtrums of being authorized to system configuration is changed, and this can realize by using suitable access rights password or supvr's password.
Advantage of the present invention is that it realizes simple, and during the Power-On Self-Test that comprises ROM scanning, can forbid effectively that usually the user imports, but when wishing, can allow to import and input is kept at the storer from the user.
During Power-On Self-Test, the present invention allows to lock and produces security function, but also allows to use the ROM adapter that needs user's input between the starting period.By reading following description about preferred implementation, and with reference to the accompanying drawings with the appended claim book, the technician in the association area will clearer other purpose of the present invention and advantage.
Some purpose of the present invention and advantage have been mentioned in the front, along with the description that the present invention is carried out, just can clearer other purpose of the present invention, and the present invention is the computer safety system and the method for an improvement, wherein:
In the following description of preferred implementation, realization known for inventor so far best implementation of the present invention will be described.But, the fundamental purpose of this description is to be used as wide, a general instruction of the present invention with a specific embodiment, rather than limit the present invention to as the embodiment as shown in this embodiment, particularly because those technician in this association area will recognize can be to shown and carry out many variations and change with reference to described ad hoc structure of these figure and operation, and still obtain the good like this result of the present invention.
Fig. 1 is a synoptic diagram of the computing machine of people one by one 10 useful in realizing the present invention.This personal computer 10 comprises a system unit 12, and this ps unit 12 is connected to a keyboard 14 and a mouse 16 and an output device, for example display 17 and printer 18.This keyboard 14 and mouse 16 are input equipments, and by this input equipment, the user can import, and display 17 and printer 18 are examples of an output device peripheral hardware, and by these output devices, the result of computing machine can be transmitted out.Other various input and output peripheral hardwares can use various traditional methods to be connected on the personal computer, for example card is inserted in the slot of system unit, is connected on the port and bus, for example a modulator-demodular unit, a universal serial bus, a parallel port or a USB port.Can use this method that various device is connected on this personal computer, and the many equipment in these equipment use the code that is called the ROM adapter code, the ROM adapter code is stored in the storer of system unit 12.Sometimes, various ROM adapter codes are known as the ROM adapter.One be called a process of ROM scanning during, carry out initialization set up dispose personal computer during, use the ROM adapter, this ROM scanning is by the technology in the existing field of contact, for example ROM scanning patent is described in more detail.
Fig. 2 is a synoptic diagram of the personal computer 10 of Fig. 1.In this Fig. 2, keyboard 14 and mouse 16 are connected to system unit 12 by an input interface 19.This system unit comprises to be preserved 22, one Power-On Self-Test programs 24 of an operating system and wherein preserves a storer 20 of the memory address space of ROM adapter 26.ROM adapter 26 is the code blocks that are stored in the memory address space, and relevant with the external device that can be connected to system unit 12, and allows to be based upon the starting condition in the personal computer 10 during Power-On Self-Test.In these ROM adapters some preserved with form completely, and these ROM adapters are loaded into data in the storer during Power-On Self-Test, but other ROM adapter can use the user at an input equipment, an input of for example carrying out on the keyboard 14.
Fig. 3 has shown the connection of the part of Power-On Self-Test related to the present invention.In module 27, the Power-On Self-Test process begins, and in module 28, mark is set forbids that the user imports during Power-On Self-Test, and forbid input equipment, as instructing in the ROM scanning patent.In module 30, swept memory is searched a ROM adapter.When a ROM adapter is arranged in storer, then test this ROM adapter and check whether a safety symbol 62 appears in the module 32.If there is not safety symbol 62 to exist, POST locks input equipment, activates ROM adapter initialization vector 56 then in module 29.In module 44, continue the ROM scanning process.If the ROM adapter has a safety symbol 62, just activate adapter ROM safety vector 64, input equipment is carried out release temporarily.Adapter ROM need to judge whether the user to import in module 34, and in module 35, adapter ROM need to judge whether a password or other mandate then.In module 36,, then in module 37, just test password or other and authorize and judge whether this user is authorized to if need a mandate for user input is provided; If this user is not authorized to, in module 43, POST locks input equipment, and adapter continues the execution initialization and do not carry out user's input.In step 44, continue the ROM scanning process.If this user successfully provides this mandate or password, if perhaps without any need for mandate, in module 38, forbid the mark that the user imports then with regard to removing, and the user is allowed to provide input, allows to set up the ROM adapter that needs user's input.In module 42, just provide the user to import.If in module 44, do not finish ROM scanning, then, control turns back to module 30, and the appearance of wherein searching another ROM adapter is searched the ROM adapter up to whole memory block being carried out scanning.In module 44, if finished ROM scanning, searched all storeies, then, POST continues its normal running in module 46.
As pointed in the ROM scanning patent, ROM adapter will have an indication or symbol and represent that it is a ROM adapter (value of pre-seting of the hexadecimal value AA55 in a ROM scanning adapter for example, as defined in the plug and play standard that in industry, is used), this indication or symbol are different with the data and the program of other form, and can be stored in the storer, so that it can be identified as a ROM adapter during POST.In addition,, can use any suitable method to finish locking, as by be closed in the connection between input equipment and the system unit through input interface 19 temporarily to input equipment as pointed in the ROM scanning patent.Alternatively, input equipment also can pass through other method, for example with irrelevant software or the hardware characteristics of input during Power-On Self-Test, is closed or locked.
Typically, one regulation subclass of the memory address space of personal computer 10 is carried out ROM scanning (searching the ROM adapter in module 30), typically, this memory address space is that 0C0000 is to 0DFFFF (sexadecimal), and with certain size of space, for example per 512 bytes scan, but whether in the centre, search the symbol of a ROM adapter head, for example sexadecimal AA55.As shown in Figure 4, shown a ROM head that in realizing the present invention, uses.In this showed, ROM 50 comprised 7 fields, a sign field 52,56, one reserved fields 58 of 54, one initialization vector of a length of stroke (run length) field, 60, one safety symbol fields 62 of a prolate-headed skew and a safety rule initialization vector 64.Latter two field is the expansion to the standard option ROM head of Plug and Play BIOS standard, and is convenient to realize the present invention.
As shown in Figure 5, when need considering the user to input a password to import in ROM scan period from the angle of safety, shown the form of the storehouse of the security initialization routine that will be delivered to adapter to be authorized to come.This preferably be used to with a system of the microprocessor of the X86 of an Intel compatibility, but also can be used for the microprocessor of other type by these those of skill in the art.Safety symbol field 62 is set to a selected value (sexadecimal 88DD), needs the cryptosecurity measure with indication in the past carrying out the ROM scanning process.Then, the address in field 64 is used to visit the security initialization routine among the ROM, and this security initialization routine will point out this user whether need to look at input.Before the routine in calling initialization vector 64, POST sets up storehouse as shown in Figure 5.Piece 70 is pointed out the skew that POST password prompt routine begins.Piece 72 comprises the sector address of POST password prompt routine code.Piece 74 is retained with return parameters, and piece 76 is used to return address IP, and piece 78 is used to the return address code segment.POST password prompt routine will according to circumstances be pointed out needs PAP or AP, and return to the initialization routine of adapter and whether correctly to have inputed password, and with its be stored in the storer, a value of expression proper password compares, and uses a traditional system to carry out cryptographic check.If correctly do not input password, to the ROM adapter initialization of remainder, keyboard and other input equipment will be closed.If correctly inputed password, then, this cryptographic check routine is just returned a designated symbol of successfully inputing password, and to the ROM adapter initialization of remainder, keyboard and pointing device (pointing device) interface 19 will be enabled.
Certainly, by of the description of reading front about preferred implementation, and connection with figures, these those of skill in the art will know and can much revise the present invention.For example, got in touch a password that is used for ID authentication or mandate and described an optional encryption device, and known, other person identifier, fingerprint for example, retina scanning, the geometry of symbol and hand can be authorized the people one by one who is authorized to import easily.The present invention that got in touch the function that to be performed and the test description that need be done, wherein many programs that will be stored in the computing machine are performed, and can design program according to the requirement of operating system and deviser's hobby, but its details is not a part of the present invention.Further, other code block of having got in touch the ROM adapter or having needed to import during Power-On Self-Test has been described the present invention, by using other input and At All Other Times, the present invention can determine easily when an input is normally blocked, and when optionally allows to import from a user.Can carry out a lot of other modifications to the present invention, and can not depart from spirit of the present invention.In addition, some aspect of the present invention can be favourable, and does not need correspondingly to use further feature.So the front will be regarded as merely the example of principle of the present invention about the description of preferred implementation, not have any restriction.